Do Authentication Questions Really Protect You?

With so much information shared online, authentication questions can be trivial for attackers to bypass.

What is your mother's maiden name? It seems like that question has been used as secondary authentication to verify identity since the dawn of time. Over time, the authentication questions have become much more diverse. Sites now ask for things like what city you went to high school in, or who was your favorite teacher, or what was your first car.

The problem with most authentication questions, though, is that the information can often be found with a simple Google search or two. Ten years ago, or even five years ago it might have been much harder to learn the answers to such obscure questions. But, in the current age of oversharing on social networks it's entirely possible all your intimate details are out there somewhere.

Have you ever participated in the Internet meme of answering a series of questions about yourself and then passing the results on to a group of friends? Many have. The purpose of the exercise is to share more information and get to know people better, but the fallout is that those questionnaires often target the same sort of semi-obscure information that authentication questions ask for.

The real problem with authentication questions is that they can be guessed or breached the same way a password can. An attacker may not know who your favorite sports team is. But, given a few contextual clues from your social networking profiles, conducting a search of your tweets on Twitter, or simply trying different sports teams out until the right one is discovered, the attacker can probably get past the authentication questions.

Like a username, the authentication question might seem like it adds a layer of security--and to some extent that's true. But, usernames are easily guessed, and authentication questions are becoming increasingly trivial to bypass thanks to social networking. The password should be the toughest part of this equation, yet many people still use their cat's name or "123456" despite years of security experts drilling about choosing better passwords.

One solution that might help a little is to make up a fictitious answer. For example, maybe you went to high school Omaha, and everyone online knows you went to high school in Omaha. But, for the purposes of your authentication security question you could change the answer to "Metropolis" or "onion rings" and just keep that information to yourself.

Some sites and services let you create your own custom authentication questions. This can also be an opportunity to create something unique that nobody but you would know the answer to. The sillier you are with both the question and the answer, the less likely it is that an attacker could guess it.

To protect your data from viruses, phishing attacks, and other malware--whether its on your PC, smartphone, or tablet--you should have some sort of cross-device security tool in place. But, when it comes to preventing unauthorized access to information stored elsewhere, two-factor authentication provides better protection.

An attacker may be able to guess your username, Google the answers to your authentication questions, and crack your password. But, if access to your data also requires a unique PIN that can only be sent to the mobile phone you have registered with the account for that purpose it makes it much harder to get in.

For all the emphasis on tools and gizmos, IT is still very much about the people who develop and use said tools and gizmos. Collaboration, mutual respect, passion for the work -- all this and more are essential to a beneficial outcome, whether your IT group is shipping code, swatting bugs, working with business users, or securing company systems.